Skip to main content

After signing with my Entrust Authenticode or Kernel Mode Code Signing Certificate Windows states that the file is not signed

User-added image

Problem:

After signing with my Entrust Authenticode or Kernel Mode Code Signing Certificate Windows states that the file is not signed

Cause:

Windows Vista do not support SHA2 (SHA256) Code Signing certificates at this time.

Windows 7 and Server 2008 require an update, please see Microsoft security advisory - https://support.microsoft.com/en-us/kb/3033929

Workaround:

Windows 8 and up supports SHA2 Authenticode Certificates, you can use the Microsoft Signing Tool to sign with both SHA1 and SHA2 certificates. You will be required to issue two Authenticode Code Signing Certificates for both SHA1 and 2, for more information please follow the instruction suggested by Microsoft - Signing a driver package with two signatures".

Signing a driver package with two signatures

In some cases, you might want to sign a driver package with two different signatures. For example, suppose you want your driver to run on Windows 7 and Windows 8. Windows 8 supports signatures created with the SHA256 hashing algorithm, but Windows 7 does not. For Windows 7, you need a signature created with the SHA1 hashing algorithm.

Suppose you want to build and sign a driver package that will run on Windows 7 and Windows 8 on x64 hardware platforms. You can sign your driver package with a primary signature that uses SHA1. Then you can append a secondary signature that uses SHA256. You can use the same certificate for both signatures, or you can use separate certificates. Here are the steps to create the two signatures using Visual Studio.

  • In the Solution Explorer window, right-click Solution SolutionName , and choose Configuration Manager . For the driver project and the package project, set Configuration to Win7 Release , and set Platform to x64 .
  • Open the property pages for the driver package. Navigate to Configuration Properties > Driver Signing > General . In the Sign Mode drop-down list, select Production Sign . For Production Certificate , enter the path to your signing certificate.
  • In the property pages for the driver package, navigate to Configuration Properties > Custom Build Step > General . For Description , select Performing Custom Build Step . For Execute After , select DriverProductionSign . For Command Line , enter this command.

    Signtool sign /fd sha256 /ph /as /sha1 XX...XX $(TargetPath)

    where XX...XX is the hash of the certificate you are using for the the secondary signature.

    Note To see the hash (also called the thumb print) of a certificate, open a Command Prompt window and navigate to the directory that contains your certificate. Enter the command certutil -dump CertName.pfx , where CertName.pfx is the name of your certificate.

If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance:

Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)
NOTE: Smart Phone users may use the 1-800 numbers shown in the table below.
Otherwise, it is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.

Country Number
Australia 0011 - 800-3687-7863
1-800-767-513
Austria 00 - 800-3687-7863
Belgium 00 - 800-3687-7863
Denmark 00 - 800-3687-7863
Finland 990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet)
France 00 - 800-3687-7863
Germany 00 - 800-3687-7863
Hong Kong 001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax)
Ireland 00 - 800-3687-7863
Israel 014 - 800-3687-7863
Italy 00 - 800-3687-7863
Japan 001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)
Korea 001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom)
Malaysia 00 - 800-3687-7863
Netherlands 00 - 800-3687-7863
New Zealand 00 - 800-3687-7863
0800-4413101
Norway 00 - 800-3687-7863
Singapore 001 - 800-3687-7863
Spain 00 - 800-3687-7863
Sweden 00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2)
Switzerland 00 - 800-3687-7863
Taiwan 00 - 800-3687-7863
United Kingdom 00 - 800-3687-7863
0800 121 6078
+44 (0) 118 953 3088